Cost of Data Breaches Continues to Rise

Data breaches cost enterprises an estimated £79 ($125.55) per record, according to a report published Tuesday, 68% more than when the report started tracking these incidents in 2007.

The 2011 Annual Study: UK Cost of a Data Breach, published by the Ponemon Institute, also found that more than a third of losses are caused not by hackers but by negligent employees or contractors. This represents a reversal from last year in which the hacker threat had briefly been the larger threat.

The report, based on the costs incurred by 36 U.K. companies in 11 different industry sectors, covered breaches ranging from approximately 3,500 records to more than 78,000 records. The report’s sponsor was Symantec, an organization that sells computer-security services.

The institute’s founder, Larry Ponemon, said the driver behind the increase in cost per data breach was greater consumer awareness, which has prompted companies to step up remedial action.

“Five years ago when we started reporting on data breaches in the U.K, data breaches were a pretty nebulous concept,” he said.

“Since then there have been an increasing number of high-profile cases and consumers are much more aware. As as result, more and more companies recognize that their brand and, the trust the consumer has, is at stake. Organizations will spend real money if it becomes a reputation issue.

“If a company has a breach, they may not be able to turn it into a positive publicity event, but by taking the right action they can protect their brand a little better.”

Mr. Ponemon said one counter-trend has been the decreasing churn, or loss of customers, that breaches trigger.

The report found that the average cost in churn caused by a breach fell from £910,000 in lost business to £780,000, though the figure depended on the type of company and, crucially, customers’ expectations of it. ”If you go to your bank, then you have very high expectations that they will look after your data,” he said.

But Mr. Ponemon did draw attention to potential costs triggered by breaches in the public sector. There is a risk that if consumers lose confidence in public-sector services, they can’t stop paying their taxes or using those services, so they will switch back to using paper forms, he said. “You won’t get 90% of people switching, but you might get enough people to revert that it drives up costs.”

The report also found that companies that employ a chief information security officer or equivalent have significantly lower costs of data breaches, some £18 per record cheaper. Mr. Ponemon said this was in a large part due to those organizations having better procedures and clear paths of responsibility for data security.

The report found that malicious or criminal attacks increased slightly from 29% to 31% of data breaches experienced by organizations in this study. This type of breach is also the most costly. Accordingly, organizations need to focus on processes, policies and technologies that address threats from the malicious insider or hacker.

Comments (3 of 3)

“Will companies read the study, take it to heart, and recognize the value of security leadership? Will they see that in many cases a CISO more than pays for him or herself by protecting the enterprise from the pitfalls of embarrassment, fines, damaged reputation and lost business?”

Staff are always a difficult nut to crack in terms of using systems. It seems that no matter how simple you try and make a 'How to' guide people either don't read it or understand it. But isn't this a business culture thing? Shouldn't it come down from the CIO to all employees? http://ow.ly/9NiS6

About Tech Europe

Tech Europe covers Europe’s technology leaders, their companies, and the people and industries that support them — and their ideas. The blog is edited by Ben Rooney, with contributions from The Wall Street Journal and Dow Jones Newswires.